Disaster recovery, business continuity, and forensics have become closely related topics. You might think forensics applies only to criminal activity and though it often does, information technology-related disaster and forensic techniques may be the best method for determining what caused the disaster and for avoiding a repeat of that disaster or at least mitigating its consequences. The forensic process really beings once an incident has been discovered, but it is not fully under way until after the disaster or incident is contained. Before you examine the forensic process for disasters, it is a good idea to start with a basic understanding of disaster recovery.
There are typically two plans that most business have in place for responding to disasters that occur. These are the business continuity plan (BCP) and the disaster recovery plan (DRP). The BCP is focused on keeping the organization functioning as well as possible until a full recovery can be made. A DRP is focused on executing a full recovery to normal operations. Lets say if a virus takes the main Web server offline, a BCP would be concerned about what can be done to get at least minimal resources back online. A DRP would be focused on actually returning the organization to full functionality.
When an incident occurs, regardless of the level or severity of the incident, there needs to be an organized response. For example, if a single workstation is infected with a virus, this probably does not constitute that a disaster occurred. However, if it is not responded to quickly, it may grow into a disaster as the virus spreads. Proper incident response is important. Every incident response plan must include some key steps, which are described below.
Containment – The first step is always to limit the incident. This means keeping it from affecting more systems. In the case of a virus, the strategy is to keep the virus from spreading. It is probably a good idea to have a policy in place that instructs users to disconnect there computers from the network and then call tech support if they suspect they have a virus. This contains the virus and prevents it from spreading further.
Eradication – Once the incident is contained, the next step is to eradicate the problem. In the case of malware, the issue is to remove the malware. In some cases, anti-malware software, such as Norton,
McAfee, Kaspersky, and several others, can be used to remove the malware. In some cases, the IT staff
may need to manually remove the malware. Instructions for manually removing malware can be found on these antivirus software websites as well as other online resources when searching the name of the
Recovery – Recovery involves returning the affected systems to a normal status. In the case of malware, that means ensuring the system is back to full working order with absolutely no presence of the malware. In many cases, this involves restoring software and data from a backup source that has been verified to be free from the malware infection.
The Business Impact Analysis is a process where the disaster recovery team contemplates likely disasters and what impact each would have on the organization. For example, a company that ships goods to retail stores, but does not sell directly to the public, might be slightly affected if it’s Web server went down for a day. A business that sells products both online and in a retail environment, might be moderately affected if their web server went down. A business that is exclusive to selling their products online only, would be severely affected if their web server were to go down.
It’s important to understand the different types of backups that should be available when recovering from a disaster. When considering backups and restoring from a backup, there are three primary backup types you should be concerned with:
- Full backup – This is where all changes are backed up.
- Differential backup – Includes all changes since the last full backup was performed.
- Incremental backup – Includes all changes since the last backup of any type.